2 net_packet.c -- Handles in- and outgoing VPN packets
3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
5 2010 Timothy Redaelli <timothy@redaelli.eu>
6 2010 Brandon Black <blblack@gmail.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35 #include "connection.h"
52 #define MAX(a, b) ((a) > (b) ? (a) : (b))
55 /* The minimum size of a probe is 14 bytes, but since we normally use CBC mode
56 encryption, we can add a few extra random bytes without increasing the
57 resulting packet size. */
58 #define MIN_PROBE_SIZE 18
62 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
65 static void send_udppacket(node_t *, vpn_packet_t *);
67 unsigned replaywin = 16;
68 bool localdiscovery = true;
69 bool udp_discovery = true;
70 int udp_discovery_keepalive_interval = 9;
71 int udp_discovery_interval = 2;
72 int udp_discovery_timeout = 30;
74 #define MAX_SEQNO 1073741824
76 static void try_fix_mtu(node_t *n) {
80 if(n->mtuprobes == 20 || n->minmtu >= n->maxmtu) {
81 if(n->minmtu > n->maxmtu)
82 n->minmtu = n->maxmtu;
84 n->maxmtu = n->minmtu;
86 logger(DEBUG_TRAFFIC, LOG_INFO, "Fixing MTU of %s (%s) to %d after %d probes", n->name, n->hostname, n->mtu, n->mtuprobes);
91 static void udp_probe_timeout_handler(void *data) {
93 if(!n->status.udp_confirmed)
96 logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
97 n->status.udp_confirmed = false;
104 static void send_udp_probe_reply(node_t *n, vpn_packet_t *packet, length_t len) {
105 if(!n->status.sptps && !n->status.validkey) {
106 // But not if we don't have his key.
107 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request from %s (%s) but we don't have his key yet", n->name, n->hostname);
111 logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
113 /* Type 2 probe replies were introduced in protocol 17.3 */
114 if ((n->options >> 24) >= 3) {
115 uint8_t *data = DATA(packet);
117 uint16_t len16 = htons(MAX(len, n->maxrecentlen));
119 memcpy(data, &len16, 2);
120 packet->len = MIN_PROBE_SIZE;
122 /* Legacy protocol: n won't understand type 2 probe replies. */
126 /* Temporarily set udp_confirmed, so that the reply is sent
127 back exactly the way it came in. */
129 bool udp_confirmed = n->status.udp_confirmed;
130 n->status.udp_confirmed = true;
131 send_udppacket(n, packet);
132 n->status.udp_confirmed = udp_confirmed;
135 static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
136 if(!DATA(packet)[0]) {
137 /* It's a probe request, send back a reply */
138 return send_udp_probe_reply(n, packet, len);
141 if (DATA(packet)[0] == 2) {
142 // It's a type 2 probe reply, use the length field inside the packet
144 memcpy(&len16, DATA(packet) + 1, 2);
148 logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
150 /* It's a valid reply: now we know bidirectional communication
151 is possible using the address and socket that the reply
153 n->status.udp_confirmed = true;
156 timeout_del(&n->udp_ping_timeout);
157 timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
160 if(len > n->maxmtu) {
161 logger(DEBUG_TRAFFIC, LOG_INFO, "Increase in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
164 /* Set mtuprobes to 1 so that try_mtu() doesn't reset maxmtu */
167 } else if(n->mtuprobes < 0 && len == n->maxmtu) {
168 /* We got a maxmtu sized packet, confirming the PMTU is still valid. */
170 n->mtu_ping_sent = now;
173 /* If applicable, raise the minimum supported MTU */
175 if(n->minmtu < len) {
181 static length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
183 memcpy(dest, source, len);
185 } else if(level == 10) {
187 lzo_uint lzolen = MAXSIZE;
188 lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
193 } else if(level < 10) {
195 unsigned long destlen = MAXSIZE;
196 if(compress2(dest, &destlen, source, len, level) == Z_OK)
203 lzo_uint lzolen = MAXSIZE;
204 lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
214 static length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level) {
216 memcpy(dest, source, len);
218 } else if(level > 9) {
220 lzo_uint lzolen = MAXSIZE;
221 if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
229 unsigned long destlen = MAXSIZE;
230 if(uncompress(dest, &destlen, source, len) == Z_OK)
242 static void receive_packet(node_t *n, vpn_packet_t *packet) {
243 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Received packet of %d bytes from %s (%s)",
244 packet->len, n->name, n->hostname);
247 n->in_bytes += packet->len;
252 static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
254 return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len);
256 #ifdef DISABLE_LEGACY
259 if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest))
262 return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest));
266 static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
267 vpn_packet_t pkt1, pkt2;
268 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
271 pkt1.offset = DEFAULT_PACKET_OFFSET;
272 pkt2.offset = DEFAULT_PACKET_OFFSET;
274 if(n->status.sptps) {
275 if(!n->sptps.state) {
276 if(!n->status.waitingforkey) {
277 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but we haven't exchanged keys yet", n->name, n->hostname);
280 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
284 inpkt->offset += 2 * sizeof(node_id_t);
285 if(!sptps_receive_data(&n->sptps, DATA(inpkt), inpkt->len - 2 * sizeof(node_id_t))) {
286 logger(DEBUG_TRAFFIC, LOG_ERR, "Got bad packet from %s (%s)", n->name, n->hostname);
292 #ifdef DISABLE_LEGACY
295 if(!n->status.validkey_in) {
296 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
300 /* Check packet length */
302 if(inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) {
303 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got too short packet from %s (%s)",
304 n->name, n->hostname);
308 /* It's a legacy UDP packet, the data starts after the seqno */
310 inpkt->offset += sizeof(seqno_t);
312 /* Check the message authentication code */
314 if(digest_active(n->indigest)) {
315 inpkt->len -= digest_length(n->indigest);
316 if(!digest_verify(n->indigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
317 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname);
321 /* Decrypt the packet */
323 if(cipher_active(n->incipher)) {
324 vpn_packet_t *outpkt = pkt[nextpkt++];
327 if(!cipher_decrypt(n->incipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
328 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Error decrypting packet from %s (%s)", n->name, n->hostname);
332 outpkt->len = outlen;
336 /* Check the sequence number */
339 memcpy(&seqno, SEQNO(inpkt), sizeof seqno);
340 seqno = ntohl(seqno);
341 inpkt->len -= sizeof seqno;
344 if(seqno != n->received_seqno + 1) {
345 if(seqno >= n->received_seqno + replaywin * 8) {
346 if(n->farfuture++ < replaywin >> 2) {
347 logger(DEBUG_ALWAYS, LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
348 n->name, n->hostname, seqno - n->received_seqno - 1, n->farfuture);
351 logger(DEBUG_ALWAYS, LOG_WARNING, "Lost %d packets from %s (%s)",
352 seqno - n->received_seqno - 1, n->name, n->hostname);
353 memset(n->late, 0, replaywin);
354 } else if (seqno <= n->received_seqno) {
355 if((n->received_seqno >= replaywin * 8 && seqno <= n->received_seqno - replaywin * 8) || !(n->late[(seqno / 8) % replaywin] & (1 << seqno % 8))) {
356 logger(DEBUG_ALWAYS, LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
357 n->name, n->hostname, seqno, n->received_seqno);
361 for(int i = n->received_seqno + 1; i < seqno; i++)
362 n->late[(i / 8) % replaywin] |= 1 << i % 8;
367 n->late[(seqno / 8) % replaywin] &= ~(1 << seqno % 8);
370 if(seqno > n->received_seqno)
371 n->received_seqno = seqno;
375 if(n->received_seqno > MAX_SEQNO)
378 /* Decompress the packet */
380 length_t origlen = inpkt->len;
382 if(n->incompression) {
383 vpn_packet_t *outpkt = pkt[nextpkt++];
385 if((outpkt->len = uncompress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->incompression)) < 0) {
386 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while uncompressing packet from %s (%s)",
387 n->name, n->hostname);
393 origlen -= MTU/64 + 20;
396 if(inpkt->len > n->maxrecentlen)
397 n->maxrecentlen = inpkt->len;
401 if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
402 udp_probe_h(n, inpkt, origlen);
404 receive_packet(n, inpkt);
409 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
411 outpkt.offset = DEFAULT_PACKET_OFFSET;
413 if(len > sizeof outpkt.data - outpkt.offset)
417 if(c->options & OPTION_TCPONLY)
420 outpkt.priority = -1;
421 memcpy(DATA(&outpkt), buffer, len);
423 receive_packet(c->node, &outpkt);
426 static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
427 if(!n->status.validkey && !n->connection)
433 if(!(DATA(origpkt)[12] | DATA(origpkt)[13])) {
434 sptps_send_record(&n->sptps, PKT_PROBE, (char *)DATA(origpkt), origpkt->len);
438 if(routing_mode == RMODE_ROUTER)
443 if(origpkt->len < offset)
448 if(n->outcompression) {
450 int len = compress_packet(DATA(&outpkt) + offset, DATA(origpkt) + offset, origpkt->len - offset, n->outcompression);
452 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)", n->name, n->hostname);
453 } else if(len < origpkt->len - offset) {
454 outpkt.len = len + offset;
456 type |= PKT_COMPRESSED;
460 /* If we have a direct metaconnection to n, and we can't use UDP, then
461 don't bother with SPTPS and just use a "plaintext" PACKET message.
462 We don't really care about end-to-end security since we're not
463 sending the message through any intermediate nodes. */
464 if(n->connection && origpkt->len > n->minmtu)
465 send_tcppacket(n->connection, origpkt);
467 sptps_send_record(&n->sptps, type, DATA(origpkt) + offset, origpkt->len - offset);
471 static void adapt_socket(const sockaddr_t *sa, int *sock) {
472 /* Make sure we have a suitable socket for the chosen address */
473 if(listen_socket[*sock].sa.sa.sa_family != sa->sa.sa_family) {
474 for(int i = 0; i < listen_sockets; i++) {
475 if(listen_socket[i].sa.sa.sa_family == sa->sa.sa_family) {
483 static void choose_udp_address(const node_t *n, const sockaddr_t **sa, int *sock) {
488 /* If the UDP address is confirmed, use it. */
489 if(n->status.udp_confirmed)
492 /* Send every third packet to n->address; that could be set
493 to the node's reflexive UDP address discovered during key
502 /* Otherwise, address are found in edges to this node.
503 So we pick a random edge and a random socket. */
506 int j = rand() % n->edge_tree->count;
507 edge_t *candidate = NULL;
509 for splay_each(edge_t, e, n->edge_tree) {
511 candidate = e->reverse;
517 *sa = &candidate->address;
518 *sock = rand() % listen_sockets;
521 adapt_socket(*sa, sock);
524 static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *sock) {
527 /* Pick one of the edges from this node at random, then use its local address. */
530 int j = rand() % n->edge_tree->count;
531 edge_t *candidate = NULL;
533 for splay_each(edge_t, e, n->edge_tree) {
540 if (candidate && candidate->local_address.sa.sa_family) {
541 *sa = &candidate->local_address;
542 *sock = rand() % listen_sockets;
543 adapt_socket(*sa, sock);
547 static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
548 vpn_packet_t pkt1, pkt2;
549 vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
550 vpn_packet_t *inpkt = origpkt;
552 vpn_packet_t *outpkt;
553 int origlen = origpkt->len;
555 #if defined(SOL_IP) && defined(IP_TOS)
556 static int priority = 0;
557 int origpriority = origpkt->priority;
560 pkt1.offset = DEFAULT_PACKET_OFFSET;
561 pkt2.offset = DEFAULT_PACKET_OFFSET;
563 if(!n->status.reachable) {
564 logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
569 return send_sptps_packet(n, origpkt);
571 #ifdef DISABLE_LEGACY
574 /* Make sure we have a valid key */
576 if(!n->status.validkey) {
577 logger(DEBUG_TRAFFIC, LOG_INFO,
578 "No valid key known yet for %s (%s), forwarding via TCP",
579 n->name, n->hostname);
580 send_tcppacket(n->nexthop->connection, origpkt);
584 if(n->options & OPTION_PMTU_DISCOVERY && inpkt->len > n->minmtu && (DATA(inpkt)[12] | DATA(inpkt)[13])) {
585 logger(DEBUG_TRAFFIC, LOG_INFO,
586 "Packet for %s (%s) larger than minimum MTU, forwarding via %s",
587 n->name, n->hostname, n != n->nexthop ? n->nexthop->name : "TCP");
590 send_packet(n->nexthop, origpkt);
592 send_tcppacket(n->nexthop->connection, origpkt);
597 /* Compress the packet */
599 if(n->outcompression) {
600 outpkt = pkt[nextpkt++];
602 if((outpkt->len = compress_packet(DATA(outpkt), DATA(inpkt), inpkt->len, n->outcompression)) < 0) {
603 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while compressing packet to %s (%s)",
604 n->name, n->hostname);
611 /* Add sequence number */
613 seqno_t seqno = htonl(++(n->sent_seqno));
614 memcpy(SEQNO(inpkt), &seqno, sizeof seqno);
615 inpkt->len += sizeof seqno;
617 /* Encrypt the packet */
619 if(cipher_active(n->outcipher)) {
620 outpkt = pkt[nextpkt++];
623 if(!cipher_encrypt(n->outcipher, SEQNO(inpkt), inpkt->len, SEQNO(outpkt), &outlen, true)) {
624 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
628 outpkt->len = outlen;
632 /* Add the message authentication code */
634 if(digest_active(n->outdigest)) {
635 if(!digest_create(n->outdigest, SEQNO(inpkt), inpkt->len, SEQNO(inpkt) + inpkt->len)) {
636 logger(DEBUG_TRAFFIC, LOG_ERR, "Error while encrypting packet to %s (%s)", n->name, n->hostname);
640 inpkt->len += digest_length(n->outdigest);
643 /* Send the packet */
645 const sockaddr_t *sa = NULL;
648 if(n->status.send_locally)
649 choose_local_address(n, &sa, &sock);
651 choose_udp_address(n, &sa, &sock);
653 #if defined(SOL_IP) && defined(IP_TOS)
654 if(priorityinheritance && origpriority != priority
655 && listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
656 priority = origpriority;
657 logger(DEBUG_TRAFFIC, LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
658 if(setsockopt(listen_socket[n->sock].udp.fd, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
659 logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setsockopt", sockstrerror(sockerrno));
663 if(sendto(listen_socket[sock].udp.fd, SEQNO(inpkt), inpkt->len, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
664 if(sockmsgsize(sockerrno)) {
665 if(n->maxmtu >= origlen)
666 n->maxmtu = origlen - 1;
667 if(n->mtu >= origlen)
668 n->mtu = origlen - 1;
671 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending packet to %s (%s): %s", n->name, n->hostname, sockstrerror(sockerrno));
675 origpkt->len = origlen;
679 static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) {
680 node_t *relay = (to->via != myself && (type == PKT_PROBE || (len - SPTPS_DATAGRAM_OVERHEAD) <= to->via->minmtu)) ? to->via : to->nexthop;
681 bool direct = from == myself && to == relay;
682 bool relay_supported = (relay->options >> 24) >= 4;
683 bool tcponly = (myself->options | relay->options) & OPTION_TCPONLY;
685 /* Send it via TCP if it is a handshake packet, TCPOnly is in use, this is a relay packet that the other node cannot understand, or this packet is larger than the MTU.
686 TODO: When relaying, the original sender does not know the end-to-end PMTU (it only knows the PMTU of the first hop).
687 This can lead to scenarios where large packets are sent over UDP to relay, but then relay has no choice but fall back to TCP. */
689 if(type == SPTPS_HANDSHAKE || tcponly || (!direct && !relay_supported) || (type != PKT_PROBE && (len - SPTPS_DATAGRAM_OVERHEAD) > relay->minmtu)) {
690 char buf[len * 4 / 3 + 5];
691 b64encode(data, buf, len);
692 /* If no valid key is known yet, send the packets using ANS_KEY requests,
693 to ensure we get to learn the reflexive UDP address. */
694 if(from == myself && !to->status.validkey) {
695 to->incompression = myself->incompression;
696 return send_request(to->nexthop->connection, "%d %s %s %s -1 -1 -1 %d", ANS_KEY, from->name, to->name, buf, to->incompression);
698 return send_request(to->nexthop->connection, "%d %s %s %d %s", REQ_KEY, from->name, to->name, REQ_SPTPS, buf);
703 if(relay_supported) overhead += sizeof to->id + sizeof from->id;
704 char buf[len + overhead]; char* buf_ptr = buf;
705 if(relay_supported) {
707 /* Inform the recipient that this packet was sent directly. */
708 node_id_t nullid = {};
709 memcpy(buf_ptr, &nullid, sizeof nullid); buf_ptr += sizeof nullid;
711 memcpy(buf_ptr, &to->id, sizeof to->id); buf_ptr += sizeof to->id;
713 memcpy(buf_ptr, &from->id, sizeof from->id); buf_ptr += sizeof from->id;
716 /* TODO: if this copy turns out to be a performance concern, change sptps_send_record() to add some "pre-padding" to the buffer and use that instead */
717 memcpy(buf_ptr, data, len); buf_ptr += len;
719 const sockaddr_t *sa = NULL;
721 if(relay->status.send_locally)
722 choose_local_address(relay, &sa, &sock);
724 choose_udp_address(relay, &sa, &sock);
725 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet from %s (%s) to %s (%s) via %s (%s)", from->name, from->hostname, to->name, to->hostname, relay->name, relay->hostname);
726 if(sendto(listen_socket[sock].udp.fd, buf, buf_ptr - buf, 0, &sa->sa, SALEN(sa->sa)) < 0 && !sockwouldblock(sockerrno)) {
727 if(sockmsgsize(sockerrno)) {
728 // Compensate for SPTPS overhead
729 len -= SPTPS_DATAGRAM_OVERHEAD;
730 if(relay->maxmtu >= len)
731 relay->maxmtu = len - 1;
732 if(relay->mtu >= len)
733 relay->mtu = len - 1;
736 logger(DEBUG_TRAFFIC, LOG_WARNING, "Error sending UDP SPTPS packet to %s (%s): %s", relay->name, relay->hostname, sockstrerror(sockerrno));
744 bool send_sptps_data(void *handle, uint8_t type, const void *data, size_t len) {
745 return send_sptps_data_priv(handle, myself, type, data, len);
748 bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t len) {
749 node_t *from = handle;
751 if(type == SPTPS_HANDSHAKE) {
752 if(!from->status.validkey) {
753 from->status.validkey = true;
754 from->status.waitingforkey = false;
755 logger(DEBUG_META, LOG_INFO, "SPTPS key exchange with %s (%s) succesful", from->name, from->hostname);
761 logger(DEBUG_ALWAYS, LOG_ERR, "Packet from %s (%s) larger than maximum supported size (%d > %d)", from->name, from->hostname, len, MTU);
766 inpkt.offset = DEFAULT_PACKET_OFFSET;
768 if(type == PKT_PROBE) {
770 memcpy(DATA(&inpkt), data, len);
771 udp_probe_h(from, &inpkt, len);
775 if(type & ~(PKT_COMPRESSED | PKT_MAC)) {
776 logger(DEBUG_ALWAYS, LOG_ERR, "Unexpected SPTPS record type %d len %d from %s (%s)", type, len, from->name, from->hostname);
780 /* Check if we have the headers we need */
781 if(routing_mode != RMODE_ROUTER && !(type & PKT_MAC)) {
782 logger(DEBUG_TRAFFIC, LOG_ERR, "Received packet from %s (%s) without MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
784 } else if(routing_mode == RMODE_ROUTER && (type & PKT_MAC)) {
785 logger(DEBUG_TRAFFIC, LOG_WARNING, "Received packet from %s (%s) with MAC header (maybe Mode is not set correctly)", from->name, from->hostname);
788 int offset = (type & PKT_MAC) ? 0 : 14;
789 if(type & PKT_COMPRESSED) {
790 length_t ulen = uncompress_packet(DATA(&inpkt) + offset, (const uint8_t *)data, len, from->incompression);
794 inpkt.len = ulen + offset;
796 if(inpkt.len > MAXSIZE)
799 memcpy(DATA(&inpkt) + offset, data, len);
800 inpkt.len = len + offset;
803 /* Generate the Ethernet packet type if necessary */
805 switch(DATA(&inpkt)[14] >> 4) {
807 DATA(&inpkt)[12] = 0x08;
808 DATA(&inpkt)[13] = 0x00;
811 DATA(&inpkt)[12] = 0x86;
812 DATA(&inpkt)[13] = 0xDD;
815 logger(DEBUG_TRAFFIC, LOG_ERR,
816 "Unknown IP version %d while reading packet from %s (%s)",
817 DATA(&inpkt)[14] >> 4, from->name, from->hostname);
822 receive_packet(from, &inpkt);
826 // This function tries to get SPTPS keys, if they aren't already known.
827 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if the keys are available.
828 static void try_sptps(node_t *n) {
829 if(n->status.validkey)
832 logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
834 if(!n->status.waitingforkey)
836 else if(n->last_req_key + 10 < now.tv_sec) {
837 logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
838 sptps_stop(&n->sptps);
839 n->status.waitingforkey = false;
846 static void send_udp_probe_packet(node_t *n, int len) {
848 packet.offset = DEFAULT_PACKET_OFFSET;
849 memset(DATA(&packet), 0, 14);
850 randomize(DATA(&packet) + 14, len - 14);
854 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
856 send_udppacket(n, &packet);
859 // This function tries to establish a UDP tunnel to a node so that packets can be sent.
860 // If a tunnel is already established, it makes sure it stays up.
861 // This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
862 static void try_udp(node_t* n) {
866 struct timeval ping_tx_elapsed;
867 timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
869 int interval = n->status.udp_confirmed ? udp_discovery_keepalive_interval : udp_discovery_interval;
871 if(ping_tx_elapsed.tv_sec >= interval) {
872 send_udp_probe_packet(n, MIN_PROBE_SIZE);
873 n->udp_ping_sent = now;
875 if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
876 n->status.send_locally = true;
877 send_udp_probe_packet(n, MIN_PROBE_SIZE);
878 n->status.send_locally = false;
883 static length_t choose_initial_maxmtu(node_t *n) {
888 const sockaddr_t *sa = NULL;
890 choose_udp_address(n, &sa, &sockindex);
894 sock = socket(sa->sa.sa_family, SOCK_DGRAM, IPPROTO_UDP);
896 logger(DEBUG_TRAFFIC, LOG_ERR, "Creating MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
900 if(connect(sock, &sa->sa, SALEN(sa->sa))) {
901 logger(DEBUG_TRAFFIC, LOG_ERR, "Connecting MTU assessment socket for %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
907 socklen_t ip_mtu_len = sizeof ip_mtu;
908 if(getsockopt(sock, IPPROTO_IP, IP_MTU, &ip_mtu, &ip_mtu_len)) {
909 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) failed: %s", n->name, n->hostname, sockstrerror(sockerrno));
916 /* getsockopt(IP_MTU) returns the MTU of the physical interface.
917 We need to remove various overheads to get to the tinc MTU. */
918 length_t mtu = ip_mtu;
919 mtu -= (sa->sa.sa_family == AF_INET6) ? sizeof(struct ip6_hdr) : sizeof(struct ip);
921 if(n->status.sptps) {
922 mtu -= SPTPS_DATAGRAM_OVERHEAD;
923 if((n->options >> 24) >= 4)
924 mtu -= sizeof(node_id_t) + sizeof(node_id_t);
926 mtu -= digest_length(n->outdigest);
928 /* Now it's tricky. We use CBC mode, so the length of the
929 encrypted payload must be a multiple of the blocksize. The
930 sequence number is also part of the encrypted payload, so we
931 must account for it after correcting for the blocksize.
932 Furthermore, the padding in the last block must be at least
935 length_t blocksize = cipher_blocksize(n->outcipher);
947 logger(DEBUG_TRAFFIC, LOG_ERR, "getsockopt(IP_MTU) on %s (%s) returned absurdly small value: %d", n->name, n->hostname, ip_mtu);
953 logger(DEBUG_TRAFFIC, LOG_INFO, "Using system-provided maximum tinc MTU for %s (%s): %hd", n->name, n->hostname, mtu);
963 /* This function tries to determines the MTU of a node.
964 By calling this function repeatedly, n->minmtu will be progressively
965 increased, and at some point, n->mtu will be fixed to n->minmtu. If the MTU
966 is already fixed, this function checks if it can be increased.
969 static void try_mtu(node_t *n) {
970 if(!(n->options & OPTION_PMTU_DISCOVERY))
973 if(udp_discovery && !n->status.udp_confirmed) {
981 /* mtuprobes == 0..19: initial discovery, send bursts with 1 second interval, mtuprobes++
982 mtuprobes == 20: fix MTU, and go to -1
983 mtuprobes == -1: send one maxmtu and one maxmtu+1 probe every pinginterval
984 mtuprobes ==-2..-3: send one maxmtu probe every second
985 mtuprobes == -4: maxmtu no longer valid, reset minmtu and maxmtu and go to 0 */
987 struct timeval elapsed;
988 timersub(&now, &n->mtu_ping_sent, &elapsed);
989 if(n->mtuprobes >= 0) {
990 if(n->mtuprobes != 0 && elapsed.tv_sec == 0 && elapsed.tv_usec < 333333)
993 if(n->mtuprobes < -1) {
994 if(elapsed.tv_sec < 1)
997 if(elapsed.tv_sec < pinginterval)
1002 n->mtu_ping_sent = now;
1006 if(n->mtuprobes < -3) {
1007 /* We lost three MTU probes, restart discovery */
1008 logger(DEBUG_TRAFFIC, LOG_INFO, "Decrease in PMTU to %s (%s) detected, restarting PMTU discovery", n->name, n->hostname);
1013 if(n->mtuprobes < 0) {
1014 /* After the initial discovery, we only send one maxmtu and one
1015 maxmtu+1 probe to detect PMTU increases. */
1016 send_udp_probe_packet(n, n->maxmtu);
1017 if(n->mtuprobes == -1 && n->maxmtu + 1 < MTU)
1018 send_udp_probe_packet(n, n->maxmtu + 1);
1021 /* Before initial discovery begins, set maxmtu to the most likely value.
1022 If it's underestimated, we will correct it after initial discovery. */
1023 if(n->mtuprobes == 0)
1024 n->maxmtu = choose_initial_maxmtu(n);
1027 /* Decreasing the number of probes per cycle might make the algorithm react faster to lost packets,
1028 but it will typically increase convergence time in the no-loss case. */
1029 const length_t probes_per_cycle = 8;
1031 /* This magic value was determined using math simulations.
1032 It will result in a 1329-byte first probe, followed (if there was a reply) by a 1407-byte probe.
1033 Since 1407 is just below the range of tinc MTUs over typical networks,
1034 this fine-tuning allows tinc to cover a lot of ground very quickly.
1035 This fine-tuning is only valid for maxmtu = MTU; if maxmtu is smaller,
1036 then it's better to use a multiplier of 1. Indeed, this leads to an interesting scenario
1037 if choose_initial_maxmtu() returns the actual MTU value - it will get confirmed with one single probe. */
1038 const float multiplier = (n->maxmtu == MTU) ? 0.97 : 1;
1040 const float cycle_position = probes_per_cycle - (n->mtuprobes % probes_per_cycle) - 1;
1041 const length_t minmtu = MAX(n->minmtu, 512);
1042 const float interval = n->maxmtu - minmtu;
1044 /* The core of the discovery algorithm is this exponential.
1045 It produces very large probes early in the cycle, and then it very quickly decreases the probe size.
1046 This reflects the fact that in the most difficult cases, we don't get any feedback for probes that
1047 are too large, and therefore we need to concentrate on small offsets so that we can quickly converge
1048 on the precise MTU as we are approaching it.
1049 The last probe of the cycle is always 1 byte in size - this is to make sure we'll get at least one
1050 reply per cycle so that we can make progress. */
1051 const length_t offset = powf(interval, multiplier * cycle_position / (probes_per_cycle - 1));
1053 length_t maxmtu = n->maxmtu;
1054 send_udp_probe_packet(n, minmtu + offset);
1055 /* If maxmtu changed, it means the probe was rejected by the system because it was too large.
1056 In that case, we recalculate with the new maxmtu and try again. */
1057 if(n->mtuprobes < 0 || maxmtu == n->maxmtu)
1061 if(n->mtuprobes >= 0)
1066 /* These functions try to establish a tunnel to a node (or its relay) so that
1067 packets can be sent (e.g. exchange keys).
1068 If a tunnel is already established, it tries to improve it (e.g. by trying
1069 to establish a UDP tunnel instead of TCP). This function makes no
1070 guarantees - it is up to the caller to check the node's state to figure out
1071 if TCP and/or UDP is usable. By calling this function repeatedly, the
1072 tunnel is gradually improved until we hit the wall imposed by the underlying
1073 network environment. It is recommended to call this function every time a
1074 packet is sent (or intended to be sent) to a node, so that the tunnel keeps
1075 improving as packets flow, and then gracefully downgrades itself as it goes
1079 static void try_tx_sptps(node_t *n, bool mtu) {
1080 /* If n is a TCP-only neighbor, we'll only use "cleartext" PACKET
1081 messages anyway, so there's no need for SPTPS at all. */
1083 if(n->connection && ((myself->options | n->options) & OPTION_TCPONLY))
1086 /* Otherwise, try to do SPTPS authentication with n if necessary. */
1090 /* Do we need to relay packets? */
1092 node_t *via = (n->via == myself) ? n->nexthop : n->via;
1094 /* If the relay doesn't support SPTPS, everything goes via TCP anyway. */
1096 if((via->options >> 24) < 4)
1099 /* If we do have a relay, try everything with that one instead. */
1102 return try_tx_sptps(via, mtu);
1109 static void try_tx_legacy(node_t *n, bool mtu) {
1110 /* Does he have our key? If not, send one. */
1112 if(!n->status.validkey_in)
1115 /* Check if we already have a key, or request one. */
1117 if(!n->status.validkey) {
1118 if(n->last_req_key + 10 <= now.tv_sec) {
1120 n->last_req_key = now.tv_sec;
1130 void try_tx(node_t *n, bool mtu) {
1132 try_tx_sptps(n, mtu);
1134 try_tx_legacy(n, mtu);
1137 void send_packet(node_t *n, vpn_packet_t *packet) {
1138 // If it's for myself, write it to the tun/tap device.
1142 memcpy(DATA(packet), mymac.x, ETH_ALEN);
1144 n->out_bytes += packet->len;
1145 devops.write(packet);
1149 logger(DEBUG_TRAFFIC, LOG_ERR, "Sending packet of %d bytes to %s (%s)", packet->len, n->name, n->hostname);
1151 // If the node is not reachable, drop it.
1153 if(!n->status.reachable) {
1154 logger(DEBUG_TRAFFIC, LOG_INFO, "Node %s (%s) is not reachable", n->name, n->hostname);
1158 // Keep track of packet statistics.
1161 n->out_bytes += packet->len;
1163 // Check if it should be sent as an SPTPS packet.
1165 if(n->status.sptps) {
1166 send_sptps_packet(n, packet);
1167 try_tx_sptps(n, true);
1171 // Determine which node to actually send it to.
1173 node_t *via = (packet->priority == -1 || n->via == myself) ? n->nexthop : n->via;
1176 logger(DEBUG_TRAFFIC, LOG_INFO, "Sending packet to %s via %s (%s)", n->name, via->name, n->via->hostname);
1178 // Try to send via UDP, unless TCP is forced.
1180 if(packet->priority == -1 || ((myself->options | via->options) & OPTION_TCPONLY)) {
1181 if(!send_tcppacket(via->connection, packet))
1182 terminate_connection(via->connection, true);
1186 send_udppacket(via, packet);
1187 try_tx_legacy(via, true);
1190 void broadcast_packet(const node_t *from, vpn_packet_t *packet) {
1191 // Always give ourself a copy of the packet.
1193 send_packet(myself, packet);
1195 // In TunnelServer mode, do not forward broadcast packets.
1196 // The MST might not be valid and create loops.
1197 if(tunnelserver || broadcast_mode == BMODE_NONE)
1200 logger(DEBUG_TRAFFIC, LOG_INFO, "Broadcasting packet of %d bytes from %s (%s)",
1201 packet->len, from->name, from->hostname);
1203 switch(broadcast_mode) {
1204 // In MST mode, broadcast packets travel via the Minimum Spanning Tree.
1205 // This guarantees all nodes receive the broadcast packet, and
1206 // usually distributes the sending of broadcast packets over all nodes.
1208 for list_each(connection_t, c, connection_list)
1209 if(c->edge && c->status.mst && c != from->nexthop->connection)
1210 send_packet(c->node, packet);
1213 // In direct mode, we send copies to each node we know of.
1214 // However, this only reaches nodes that can be reached in a single hop.
1215 // We don't have enough information to forward broadcast packets in this case.
1220 for splay_each(node_t, n, node_tree)
1221 if(n->status.reachable && n != myself && ((n->via == myself && n->nexthop == n) || n->via == n))
1222 send_packet(n, packet);
1230 static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
1233 static time_t last_hard_try = 0;
1235 for splay_each(edge_t, e, edge_weight_tree) {
1236 if(!e->to->status.reachable || e->to == myself)
1239 if(sockaddrcmp_noport(from, &e->address)) {
1240 if(last_hard_try == now.tv_sec)
1245 if(!try_mac(e->to, pkt))
1253 last_hard_try = now.tv_sec;
1255 last_hard_try = now.tv_sec;
1259 void handle_incoming_vpn_data(void *data, int flags) {
1260 listen_socket_t *ls = data;
1263 node_id_t nullid = {};
1264 sockaddr_t addr = {};
1265 socklen_t addrlen = sizeof addr;
1267 bool direct = false;
1270 int len = recvfrom(ls->udp.fd, DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
1272 if(len <= 0 || len > MAXSIZE) {
1273 if(!sockwouldblock(sockerrno))
1274 logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
1280 sockaddrunmap(&addr); /* Some braindead IPv6 implementations do stupid things. */
1282 // Try to figure out who sent this packet.
1284 node_t *n = lookup_node_udp(&addr);
1287 // It might be from a 1.1 node, which might have a source ID in the packet.
1288 pkt.offset = 2 * sizeof(node_id_t);
1289 from = lookup_node_id(SRCID(&pkt));
1290 if(from && !memcmp(DSTID(&pkt), &nullid, sizeof nullid) && from->status.sptps) {
1291 if(sptps_verify_datagram(&from->sptps, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t)))
1300 n = try_harder(&addr, &pkt);
1305 if(debug_level >= DEBUG_PROTOCOL) {
1306 hostname = sockaddr2hostname(&addr);
1307 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from unknown source %s", hostname);
1313 if(n->status.sptps) {
1314 pkt.offset = 2 * sizeof(node_id_t);
1316 if(!memcmp(DSTID(&pkt), &nullid, sizeof nullid)) {
1321 from = lookup_node_id(SRCID(&pkt));
1322 to = lookup_node_id(DSTID(&pkt));
1325 logger(DEBUG_PROTOCOL, LOG_WARNING, "Received UDP packet from %s (%s) with unknown source and/or destination ID", n->name, n->hostname);
1330 send_sptps_data_priv(to, n, 0, DATA(&pkt), pkt.len - 2 * sizeof(node_id_t));
1339 if(!receive_udppacket(from, &pkt))
1342 n->sock = ls - listen_socket;
1343 if(direct && sockaddrcmp(&addr, &n->address))
1344 update_node_udp(n, &addr);
1347 void handle_device_data(void *data, int flags) {
1348 vpn_packet_t packet;
1349 packet.offset = DEFAULT_PACKET_OFFSET;
1350 packet.priority = 0;
1352 if(devops.read(&packet)) {
1353 myself->in_packets++;
1354 myself->in_bytes += packet.len;
1355 route(myself, &packet);
projects / tinc / blob